The Samba open source suite (http://www.samba.org) allows Linux and other Unix-like platforms to operate more easily within Windows NT domains and provides seamless file and print services to SMB and CIFS clients. Over the last six years, a number of remote vulnerabilities have been found in Samba services that allow attackers to compromise mostly Linux systems.
At the time of writing, the ISS X-Force vulnerability database (http://xforce.iss.net) lists a number of serious remotely exploitable issues in Samba (not including denial of service or locally exploitable post-authentication issues), as shown in Table 9-6.
XF ID |
Date |
Notes |
---|---|---|
12749 |
27/07/2003 |
Samba 2.2.7a and prior reply_nttrans( ) overflow |
11726 |
07/04/2003 |
Samba 2.2.5 through 2.2.8 and Samba-TNG 0.3.1 and prior call_trans2open( ) remote overflow |
11550 |
14/03/2003 |
Samba 2.0 through 2.2.7a remote packet fragment overflow |
10683 |
20/11/2002 |
Samba 2.2.2 through 2.2.6 password change request overflow |
10010 |
28/08/2002 |
Samba 2.2.4 and prior enum_csc_policy( ) overflow |
6731 |
24/06/2001 |
Samba 2.0.8 and prior remote file creation vulnerability |
3225 |
21/06/1999 |
Samba 2.0.5 and prior messaging service remote overflow |
337 |
01/09/1997 |
Samba 1.9.17 and prior remote password overflow |
Depending on the open network ports of a given Unix-like host running Samba, you are presented with a number of avenues to perform enumeration and brute-force password-grinding attacks. In particular, refer to the earlier examples of attacks launched against MSRPC, NeBIOS session, and CIFS services because the same tools will be equally as effective against accessible Samba services running on ports 135, 139, and 445, respectively.